Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ec73f7be975864e…

MALICIOUS

PDF

88.0 KB Created: 2021-06-25 13:51:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 8649b4826c237e6b9301c424b75f94d0 SHA-1: 4afd9e0c9d3a964d284394a57a9e8257b75ab8fd SHA-256: 1ec73f7be975864e29dcdc90c39507f59fbe8fc8dd9c9398b238350a62ccc7e4
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as a malicious PDF by multiple heuristics and an ML classifier, with ClamAV detecting it as Pdf.Phishing.Trojan. The PDF contains numerous links pointing to compromised WordPress sites, suggesting a phishing or malware distribution campaign. The presence of external URIs and link farms on disposable hosting further supports this malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/uplcv?utm_term=is+code+of+concrete
    • http://test.uebersetzungen-nesselberger.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c518242f625---logivevawebaja.pdf
    • https://earthchartercities.org/wp-content/plugins/formcraft/file-upload/server/content/files/1609ec0e290a64---zoxerufa.pdf
    • https://ksboutlet.com/file/files/nazujegajalalafibiza.pdf
    • http://adhdadvisory.com/wp-content/plugins/formcraft/file-upload/server/content/files/16092622957c10---naxawupalekatevama.pdf
    • https://cedarcreeksauce.com/wp-content/plugins/super-forms/uploads/php/files/614bd69ede9f588649410e4e30d89cdf/jugazupegadoviwinepe.pdf
    • http://www.orarestauratorisaf.it/wp-content/plugins/formcraft/file-upload/server/content/files/160bd554d9ff1a---60186566101.pdf
    • https://noks.cz/wp-content/plugins/formcraft/file-upload/server/content/files/1607616c606ac3---bodavow.pdf
    • http://mijneigenlift.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16082369450897---99634523386.pdf
    • https://www.techsrollout.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087d8abcb974---62648923442.pdf
    • https://aquariumfargo.com/wp-content/plugins/super-forms/uploads/php/files/8660cef942c49612c63b5b38d93ba38b/goxumupudogusifek.pdf
    • https://matrainagycsalados.hu/userfiles/file/20663735455.pdf
    • https://jfefood.com/wp-content/plugins/super-forms/uploads/php/files/949e2ada3cc5622064f42dcbf1741736/kukageke.pdf
    • http://sieckultury.pl/wp-content/plugins/super-forms/uploads/php/files/fccd1f9585318c02abb9da973e88e8fe/nupikofinexa.pdf
    • https://planet-for-events.de/userfiles/file/ditatiwunafewatelofomow.pdf
    • https://citronixdeflection.com/nbloom/fckuploads/file/21386714402.pdf
    • https://www.lipfish.no/wp-content/plugins/formcraft/file-upload/server/content/files/1608a2d9dbfb59---41187501498.pdf
    • http://www.loockuniformes.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/1609bdf1032b00---24617035083.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f459.bin
10fec1ebf53c26ed77a05e204f8026f94fbe0a0bd4cda987c4b10e383da37a9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF459 18008 bytes
font_01_sfnt_off000122fc.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122FC 16792 bytes
font_02_sfnt_off00013b13.bin
61d4e1af2575f02406a139597ec030cdff9ec6ee37fb04c284cd6a3ef4cc23ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13B13 10120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.